LegalGELegalGE
...

National Cybersecurity Compliance

Who must comply with the Information Security Law?

The law applies to subjects of critical information systems listed by the government, including banks, telecom providers, and key state agencies.

Is ISO 27001 mandatory in Georgia?

For critical information system subjects, compliance with ISO 27001 or equivalent national standards is a legal requirement.

What is the reporting deadline for cyber incidents?

Reporting timelines are strict and depend on the incident severity, typically requiring notification to the relevant CERT/CSIRT immediately upon detection.

Do private companies need a cybersecurity lawyer?

If you are a regulated entity (bank, telecom) or process significant data, legal counsel is essential to navigate compliance audits and liability issues.

Reading Time

3 min

Published

...

National Cybersecurity Compliance and Regulation in Georgia

In the modern digital era, cybersecurity is no longer just a technical task; it is a strict legal obligation. Georgia has enacted the "Law on Information Security," which designates hundreds of organizations (including state agencies, banks, telecoms) as "Subjects of Critical Information Systems." This status imposes specific obligations on them: to implement ISO 27001 standards, conduct regular audits, appoint information security managers, and report to the Digital Governance Agency or the Operational-Technical Agency (depending on the category). Failure to comply with the law's requirements leads to serious financial and reputational damage.

Cybersecurity Compliance services help you navigate the complex legal maze and ensure your organization's readiness. The service includes:

  • Subject Categorization Analysis: Determining whether your organization belongs to the subjects of critical information systems and which category it falls under (I, II, or III), which defines the scope of obligations.
  • Legal Gap Analysis: Comparing existing internal policies with legislative requirements and identifying gaps.
  • Incident Response Plan: Developing legal protocols for actions during a cyberattack, including timelines for notifying the regulator and affected parties.
  • Data Protection in Cyberspace: Legally refining data protection mechanisms in accordance with GDPR and Georgian legislation.
  • Audit Support: Legal assistance during external or internal audit processes to ensure the auditor's conclusion complies with the law and does not trigger sanctions.

In practice, many companies do not realize they are subject to this law until they receive a notification from the regulator. For example, a financial institution that does not conduct mandatory penetration testing (Pen-test) and does not have a written cybersecurity policy is violating the law. Also, during a cyber incident (e.g., data breach), the company must know exactly whom to notify and when. Delayed or incorrect notification leads to liability. A lawyer ensures that the technical team's actions are legally sound.

The field is regulated by the "Law of Georgia on Information Security" and government decrees approving the list of subjects of critical information systems. The law defines the role of Computer Emergency Response Teams (CERT/CSIRT). The "Law on Personal Data Protection" is also significant, as cybersecurity and data protection are closely intertwined.

Working with a lawyer begins with determining the organization's status. Then, documentation (statutes, rules, contracts with IT providers) is organized. The lawyer also conducts training for employees on issues of legal liability. In a crisis situation, the lawyer acts as the main point of contact with law enforcement agencies.

Legal.ge is a platform gathering Cyber Law experts. Cybersecurity is not just the IT department's job; it is the responsibility of the company's governance and legal department. Protect your business from fines and the legal consequences of cyberattacks with the help of our specialists.

Updated: ...

Specialists for this service

Loading...